Internet Society’s broadest audit yet sees dramatic increases in overall website security driven by improvements in email authentication and session encryption
16 April 2019 – The Internet Society’s Online Trust Alliance (OTA), which identifies and promotes security and privacy best practices that build consumer confidence in the Internet, announced today the results of its latest Online Trust Audit & Honor Roll – the de facto standard for recognizing excellence in online consumer protection, data security and responsible privacy practices. This tenth annual audit of more than 1,200 predominantly consumer-facing websites is the largest undertaken by OTA, and was expanded this year to include payment services, video streaming, sports sites, and healthcare.
Download the full report now at https://otalliance.org/2018HonorRoll.
“From the global economy to daily individual interactions, more and more of our lives are conducted online. Yet every day brings headlines showing a lack of attention to consumer data and privacy protection,” said Jeff Wilbur, Technical Director of the Internet Society’s Online Trust Alliance. “The OTA Trust Audit & Honor Roll identifies organizations that place a premium on security and privacy, while shining a light on the sectors that have to work harder to earn society’s trust.”
The Audit found that 70 percent of analyzed websites qualified for the Honor Roll, the highest proportion ever, and up from 52 percent in 2017, driven primarily by improvements in email authentication and session encryption. The Federal government category surged to the front with 91 percent of sites placing on the honor roll, a dramatic turnaround from 2017 when government sites had bottomed out at 39 percent recognition. The Federal category supplanted last year’s winner, consumer services, which finished second this year at 85 percent (OTA considers consumer services any website that requires consumers to create an online account such as social media, payment services, video streaming, file sharing, or dating).
Healthcare, a new sector this year that includes pharmacies, testing labs, insurance companies, and hospital chains, had the lowest overall honor roll placement at 57 percent. Followed by ISPs, carriers, hosters and email providers at 63 percent.
Overall, the audit found a strong move toward encryption, with 93 percent of sites encrypting all web sessions (compared to 52 percent in 2017). Email authentication is also at record highs; 76 percent of sites use both SPF and DKIM (versus 48 percent in 2017) and 50 percent have a DMARC record (versus 34 percent previously). One growth opportunity is use of mechanisms for vulnerability reporting, which rose sharply in online retail, news and hosting companies, but were used by only 11 percent of organizations overall.
“The Online Trust Alliance has made great progress in advocating for a higher standard for internet security,” said Neil Daswani, senior vice president, consumer chief information security officer, Norton LifeLock. “We are honored to be recognized for our strength in cyber safety and are proud to be a part of the very critical work the OTA is doing to help make the internet a safer place for all.”
“To put the audit findings in context, almost every sector improved its security and privacy practices, and the record scores reflect that,” said Wilbur. “The U.S. Government in particular made stunning improvements, from near last in 2017 to top of the class in 2018. Unfortunately, some sectors still have a long way to go to demonstrate acceptable security and privacy practices.”
Industry Highlights – From best to worst performing industries:
- Government: (2017: 5th) 91 percent of audited U.S. federal government sites made the Honor Roll. Government sites scored highest in site security (94 percent), DMARC adoption (93 percent) and policy enforcement (83 percent), and IPv6 adoption (46 percent).
- Consumer Services: (2017: 1st) 85 percent of audited consumer services sites made the Honor Roll. These sites led in adoption of email authentication (96 percent) and scoring for overall privacy practices (76), and had the highest use of vulnerability reporting (43 percent). Unfortunately, they also had the highest breach rate (34 percent).
- News & Media: (2017: 3rd) This category was expanded to include sports sites. Significant improvement to an 78 percent score (vs 48 percent in 2017), thanks largely to nearly quadrupling use of always-encrypted sessions.
- FDIC 100 Banks: (2017: last) Banks made significant improvement to 73 percent, nearly triple 2017’s dismal 27 percent ranking, showing significant improvement in email authentication, the highest use of extended validation certificates (more than double the next closest sector) and lowest instance of cross-site scripting.
- Internet Retailers: (2017: 2nd) While 65 percent of internet retailers made the honor roll, better than last year’s 51 percent, this sector was outpaced by improvements in most other sectors. Email authentication improved, but privacy failures rose nearly 50 percent due to third party data sharing.
- ISPs, Carriers, Hosters & Email Providers: (2017: 4th) 63 percent of companies in this category made the Honor Roll, a solid improvement over 2017’s 46 percent, thanks largely to significant improvement in email authentication.
- Healthcare: (2017: unranked) This new sector showed the lowest overall placement on the Honor Roll at 57 percent, largely due to sparse adoption of email authentication and always-encrypted sessions. The industry did show the second highest scores for privacy.
As the only comprehensive, independent online trust benchmark study, the OTA Online Trust Audit evaluates sites in three categories: consumer protection, site security, and responsible privacy practices. Based on a composite weighted analysis, sites that score 80 percent or better overall, without failing in any one category, are recognized in the Honor Roll. 2018 criteria were updated to include GDPR compliance, and the full 2018 audit methodology is available at https://otalliance.org/2018Methodology. OTA and its data partners collected and analyzed website data between December 10, 2018 and January 31, 2019. It estimates that it analyzed more than 500 million email headers and approximately 100,000 web pages. Data providers included Agari, Disconnect, Dmarcian, High-Tech Bridge, Google, Infoblox, Internet.nl, Mozilla, Sucuri, Qualys SSL Labs, Symantec, Twitter, ValiMail and Verisign. Symantec helped sponsor the audit.
OTA will host a webinar to discuss the Audit results on 24 April, from 1PM-2PM ET (17:00 UTC) for the ISOC community webinar. See https://otalliance.org/2018HonorRoll for more information.
The Internet Society’s Online Trust Alliance (OTA) identifies and promotes security and privacy best practices that build consumer confidence in the Internet. Leading public and private organizations, vendors, researchers, and policymakers contribute to and follow OTA’s guidance to help make online transactions safer and better protect users’ data. The Internet Society is a global nonprofit dedicated to ensuring an open, globally connected, trustworthy, and secure Internet for everyone.